RSA: Researchers Warn Against Selling On Security Hype

Security vendors often point to the growing complexity of threats to infrastructure and devices to drum up interest in new products, but recent high profile attacks have employed well known, relatively simple tactics.

That's according to the security researchers who took part in a wide-ranging Wednesday morning panel discussion at RSA 2012 that covered emerging threats, hacktivism, mobile malware and the looming specter of cyber-warfare.

Anonymous, which last year launched a campaign of attacks against various companies, government agencies and other groups, and declared war on the U.S. government Wednesday, has caused organizations to step up security spending, panelists agreed.

However, the selling on fear that has accompanied the Anonymous attacks is a disturbing trend, said David Litchfield, chief security architect at Accuvant, a Denver-based security solution provider. In his view, vendors should stick to advocating adherence to security best practices.

"Anonymous is a useful tool for people who excel at [fear, uncertainty and doubt]," Litchfield said. "It has got out of hand and is being used as a stick to beat people. It's selling FUD, and we need to get away from that in the security industry."

Panelists also took aim at the term Advanced Persistent Threat (APT), which has become another favorite buzzword for vendors. APTs have certainly caused problems for organizations in the public and private sectors, but these attacks rely on human engineering and are not advanced from a technological standpoint, researchers said.

"These attacks are not sophisticated -- they're stupid phishing e-mails. Someone opens a PDF and it's done," said Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab. "They are as sophisticated as they need to be, and the sad reality is that simple tools and exploitation techniques are still very effective."

One issue that hasn’t been overhyped, panelists said, is the threat posed by mobile malware.

Kevin Mahaffey, co-founder and CTO of Lookout Mobile Security, said Webkit runs on all smartphone operating systems except for Windows Phone, a single bug in one HTML rendering could have far reaching consequences. And the slow speed with which bugs are patched in the mobile market adds to the risk.

"The dirty little secret in mobile is that firmware update speed moves slowly and bugs are patched on [this update cycle]," Mahaffey said. "Some manufacturers don't update firmware at all, which means you may be running a three-year-old browser that is vulnerable to every Webkit bug on Metasploit."

Mobile malware has primarily been limited to Android at this stage of the game, but it's likely to spread over time as attackers target the mass of devices running other operating systems, Mahaffey said. "If we look at mobile as the history of PCs running at fast forward, we are heading for the same issues. We need to get patch cycles up to speed."

As is the case with APTs, however, mobile attacks aren't using fancy tactics, and most issues that have surfaced thus far can be avoided through basic security precautions, researchers said.

Attackers have yet to target iOS, but that's not because the App Store is an impenetrable fortress of security, researchers said. Apple security expert Charlie Miller, principal research consultant for Accuvant Labs, last year was able to upload a proof-of-concept app containing an iOS exploit to the App Store.

Apple subsequently yanked Miller's developer license, but Schouwenberg said there should be a platform for testers to explore iOS and Android security in ways that could lead to more secure products.

"Right now, we just need to trust Apple and Google that everything is fine," Schouwenberg said.